

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>加密 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/jquery.js"></script>
        <script src="../../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../../" id="documentation_options" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/doctools.js"></script>
        <script src="../../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../../genindex/" />
    <link rel="search" title="Search" href="../../../search/" />
    <link rel="next" title="prepare" href="../prepare/" />
    <link rel="prev" title="batch" href="../batch/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../../">ceph-volume</a></li>
      <li class="breadcrumb-item active">加密</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../../_sources/ceph-volume/lvm/encryption.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../">ceph-volume</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="../../#id2">迁移</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../../#id3">全新部署</a></li>
<li class="toctree-l3 current"><a class="reference internal" href="../../#osd">已有 OSD 怎么办</a><ul class="current">
<li class="toctree-l4"><a class="reference internal" href="../../intro/">Overview</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../intro/#replacing-ceph-disk">Replacing <code class="docutils literal notranslate"><span class="pre">ceph-disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../intro/#gpt-partitions-are-simple">GPT partitions are simple?</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../intro/#modularity">Modularity</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../intro/#ceph-volume-lvm"><code class="docutils literal notranslate"><span class="pre">ceph-volume</span> <span class="pre">lvm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../intro/#lvm-performance-penalty">LVM performance penalty</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../systemd/">systemd</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../inventory/"><code class="docutils literal notranslate"><span class="pre">inventory</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../drive-group/"><code class="docutils literal notranslate"><span class="pre">drive-group</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../"><code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../activate/"><code class="docutils literal notranslate"><span class="pre">activate</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../batch/"><code class="docutils literal notranslate"><span class="pre">batch</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../batch/#ceph-volume-lvm-batch-report">报表</a></li>
<li class="toctree-l4"><a class="reference internal" href="../batch/#sizing">Sizing</a></li>
<li class="toctree-l4"><a class="reference internal" href="../batch/#idempotency-and-disk-replacements">Idempotency and disk replacements</a></li>
<li class="toctree-l4 current"><a class="current reference internal" href="#">加密</a></li>
<li class="toctree-l4"><a class="reference internal" href="../prepare/"><code class="docutils literal notranslate"><span class="pre">prepare</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../create/"><code class="docutils literal notranslate"><span class="pre">create</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../scan/">scan</a></li>
<li class="toctree-l4"><a class="reference internal" href="../systemd/">systemd</a></li>
<li class="toctree-l4"><a class="reference internal" href="../list/"><code class="docutils literal notranslate"><span class="pre">list</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../zap/"><code class="docutils literal notranslate"><span class="pre">zap</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../migrate/"><code class="docutils literal notranslate"><span class="pre">migrate</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../newdb/"><code class="docutils literal notranslate"><span class="pre">new-db</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../newwal/"><code class="docutils literal notranslate"><span class="pre">new-wal</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../simple/"><code class="docutils literal notranslate"><span class="pre">simple</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../simple/activate/"><code class="docutils literal notranslate"><span class="pre">activate</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../simple/scan/"><code class="docutils literal notranslate"><span class="pre">scan</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../simple/systemd/">systemd</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../zfs/"><code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../zfs/inventory/"><code class="docutils literal notranslate"><span class="pre">inventory</span></code></a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="ceph-volume-lvm-encryption">
<span id="id1"></span><h1>加密<a class="headerlink" href="#ceph-volume-lvm-encryption" title="Permalink to this heading"></a></h1>
<p>Logical volumes can be encrypted using <code class="docutils literal notranslate"><span class="pre">dmcrypt</span></code> by specifying the
<code class="docutils literal notranslate"><span class="pre">--dmcrypt</span></code> flag when creating OSDs. When using LVM, logical volumes can be
encrypted in different ways. <code class="docutils literal notranslate"><span class="pre">ceph-volume</span></code> does not offer as many options as
LVM does, but it encrypts logical volumes in a way that  is consistent and
robust.</p>
<p>In this case, <code class="docutils literal notranslate"><span class="pre">ceph-volume</span> <span class="pre">lvm</span></code> follows this constraint:</p>
<ul class="simple">
<li><p>Non-LVM devices (such as partitions) are encrypted with the same OSD key.</p></li>
</ul>
<section id="luks">
<h2>LUKS<a class="headerlink" href="#luks" title="Permalink to this heading"></a></h2>
<p>There are currently two versions of LUKS, 1 and 2. Version 2 is a bit easier to
implement but not widely available in all Linux distributions supported by
Ceph.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Version 1 of LUKS is referred to in this documentation as “LUKS”.
Version 2 is of LUKS is referred to in this documentation as “LUKS2”.</p>
</div>
</section>
<section id="luks-on-lvm">
<h2>LUKS on LVM<a class="headerlink" href="#luks-on-lvm" title="Permalink to this heading"></a></h2>
<p>Encryption is done on top of existing logical volumes (this is not the same as
encrypting the physical device). Any single logical volume can be encrypted,
leaving other volumes unencrypted. This method also allows for flexible logical
volume setups, since encryption will happen once the LV is created.</p>
</section>
<section id="id2">
<h2>工作流程<a class="headerlink" href="#id2" title="Permalink to this heading"></a></h2>
<p>装配起 OSD 的过程中，需要创建一个密钥，它会包装成 JSON 格式以
<code class="docutils literal notranslate"><span class="pre">stdin</span></code> 传递给监视器，以免被记入日志。</p>
<p>JSON 内容形似：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
    <span class="s2">&quot;cephx_secret&quot;</span><span class="p">:</span> <span class="n">CEPHX_SECRET</span><span class="p">,</span>
    <span class="s2">&quot;dmcrypt_key&quot;</span><span class="p">:</span> <span class="n">DMCRYPT_KEY</span><span class="p">,</span>
    <span class="s2">&quot;cephx_lockbox_secret&quot;</span><span class="p">:</span> <span class="n">LOCKBOX_SECRET</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The naming convention for the keys is <strong>strict</strong>, and they are named like that
for the hardcoded (legacy) names used by ceph-disk.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">cephx_secret</span></code> : The cephx key used to authenticate</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">dmcrypt_key</span></code> : The secret (or private) key to unlock encrypted devices</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">cephx_lockbox_secret</span></code> : The authentication key used to retrieve the
<code class="docutils literal notranslate"><span class="pre">dmcrypt_key</span></code>. It is named <em>lockbox</em> because ceph-disk used to have an
unencrypted partition named after it, which was used to store public keys and
other OSD metadata.</p></li>
</ul>
<p>The naming convention is strict because Monitors supported the naming
convention of ceph-disk, which used these key names. In order to maintain
compatibility and prevent ceph-disk from breaking, ceph-volume uses the same
naming convention <em>although it does not make sense for the new encryption
workflow</em>.</p>
<p>After the common steps of setting up the OSD during the “prepare stage” (
with <a class="reference internal" href="../../../glossary/#term-BlueStore"><span class="xref std std-term">bluestore</span></a>), the logical volume is left ready
to be activated, regardless of the state of the device (encrypted or
decrypted).</p>
<p>At the time of its activation, the logical volume is decrypted. The OSD starts
after the process completes correctly.</p>
</section>
<section id="summary-of-the-encryption-workflow-for-creating-a-new-osd">
<h2>Summary of the encryption workflow for creating a new OSD<a class="headerlink" href="#summary-of-the-encryption-workflow-for-creating-a-new-osd" title="Permalink to this heading"></a></h2>
<ol class="arabic simple">
<li><p>OSD is created. Both lockbox and dmcrypt keys are created and sent to the
monitors in JSON format, indicating an encrypted OSD.</p></li>
<li><p>All complementary devices (like journal, db, or wal) get created and
encrypted with the same OSD key. Key is stored in the LVM metadata of the
OSD.</p></li>
<li><p>Activation continues by ensuring devices are mounted, retrieving the dmcrypt
secret key from the monitors, and decrypting before the OSD gets started.</p></li>
</ol>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../batch/" class="btn btn-neutral float-left" title="batch" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../prepare/" class="btn btn-neutral float-right" title="prepare" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>